==Phrack Inc.==
Volume 0x0e, Issue 0x44, Phile #0x03 of 0x13
|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack World News ]=------------------------=|
|=-----------------------------------------------------------------------=|
|=----------------------------=[ by TCLH ]=------------------------------=|
|=-----------------------------------------------------------------------=|
It is been a while since the last Phrack World News, and much has happened
in our world since then. Governments have been overthrown [1], human rights
partially restored in one country, and taken away in the next [2]. The
so-called first world has been bought, delivers monitoring and suppression
equipment to totalitarian countries [3] as well as making its use a legal
requirement in their owni [4]. The content mafia, considering every form of
creative and work output their property, has declared war on all internet
citizen. No matter if picture, song, movie or academic paper, you shall pay
for its consumption or be banned from the net [5]. That they are actually
trying to resist evolution [6] is of no concern to them.
In times like that, where your network traffic may go though more deep
packet inspection engines than observable hops in traceroute, the hacker
shall reconsider his ways of communication. It is no longer enough to
SSH/VPN into one of your boxes and jump into your screen sessions, as the
communication of that box is monitored as much as your home network
connection.
Global surveillance is no longer stuff from science fiction books, or
attributed only to the most powerful secret services in the world. It
becomes a requirement for most ISPs to stay in business. They can either
sell you, or they can sell their company, and you can bet that the later is
not an option they consider.
Besides, traffic patterns of the average internet user change. We are
approaching a time when the ordinary user will only emit HTTP traffic with
his daily activities, making it easy for anyone interested to single out
the more creative minds, just by the fact that they still use protocols
like SSH, OpenVPN and IRC with their unmistakable signatures. It is up to
us to come up with new and creative ways of using this internet before
packets get dropped based on their protocol characteristics and we find
ourselves limited to Google+ and Facebook.
At the same time, the additional protections we have come to rely on prove
to be as bad as we always thought they might be. When breaking into a
certificate authority is as easy as it was with DigiNotar [7], when the
database of Comodo [8] ends up in BitTorrents, we are facing bigger
challenges than ever before. There are various discussions all over the net
on how to deal with the mess that is our common PKI. From the IETF [9] to
nation states, everyone has their own ideas. When certificate authorities
are taken over by governments or forced to issue Sub-CA certificates to the
same [10], it's not a trust mechanism we shall rely on.
An attitude that this is someone else's problem doesn't help. As more and
more functions of daily life move online, everyone is exposed to these
problems. Even if you know how to spot certificate changes, you will still
need to access the web site. HTTPS doesn't provide a plan B option. The CA
nightmare calls for the gifted and smart people to work together and find a
long term dependable solution. This is the time where your talent, skills
and experience is required, unless you are fine with government and vendor
driven committees to "solve" it.
Meanwhile over at IRC's little pre-teen sister Twitter, whose attention
span is shorter than that of a fruit fly and easily bought, people hype
so-called solutions [11] to the problem without doubts. Although their
heros abandon privacy solutions people depend on the moment someone waves a
little money in their face [12], the masses rather believe in a savior than
to think and evaluate for themselves. Are you one of them?
Unquestioned believe becomes the new normal. Whether it is Google or Apple
fanboyism, the companies can do whatever they want. Apple ships products
with several year old vulnerabilities [13] in open source components they
reused and nobody notices. Everyone can make X.509 certificates that iPhone
and iPad will happily accept [14]? No problem. Think back and consider the
shit storm if that would have been Microsoft. These companies feel so
invincible that Apple's App Store Guidelines [15] openly state: "If you run
to the press and trash us, it never helps."
Critical thinking seems to become a challenge when you get what you want.
Just look at how many hackers use Gmail without any end-to-end encryption,
because it just works. Thich hacker using a hotmail email address was ever
taken serious? Where is the difference?
What Apple and Google are for the hip generation, Symantec is for
governments and corporations. They are seen as the one company that will
protect us all. When the source code of PCAnywhere is leaked [16] and the
same company simply advises its users to no longer use that software
product [16], you get an idea of how they evaluate the security of it
themselves. And what about all the systems in daily life that depend on it?
If nobody used PCAnywhere, Symantec would have stopped selling it long ago.
Therefore, they simply left a large user base out in the cold. And what
happens? Nothing. Except, maybe, that some have fun with various remote
access points.
It all comes down to knowledge. Knowledge cannot be obtained by believe.
Believe is a really bad substitute for actually knowing. And what is the
hacker community other than first and foremost the quest for knowledge that
you found out yourself by critically questioning everything put in front of
you. What you do with that knowledge is a question everyone has to answer
himself. But if we stop to learn, experiment and play, we stop being
hackers and become part of the masses. It is a sign of the times when only
very few hackers speak IPv6, leave alone use it. When you see more fuzzers
written than lines of code actually read, because coding up a simple
trash-generator is so much easier than actually understanding what the code
does and then precisely exploiting it.
The quest for knowledge defines us, not money or fame. Let's keep it up!
[1] https://en.wikipedia.org/wiki/Arab_spring
[2] https://en.wikipedia.org/wiki/2011%E2%80%932012_Syrian_uprising
[3] http://buggedplanet.info/index.php?title=EG
[4] https://en.wikipedia.org/wiki/Telecommunications_data_retention
[5] https://en.wikipedia.org/wiki/Three_strikes_%28policy%29
[6] http://www.wired.com/threatlevel/2012/02/peter-sunde/
[7] https://en.wikipedia.org/wiki/DigiNotar
[8] https://en.wikipedia.org/wiki/Comodo_Group#Breach_of_security
[9] http://www.ietf.org/mail-archive/web/therightkey/current/maillist.html
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=724929
[11] https://en.wikipedia.org/wiki/Convergence_%28SSL%29
[12] https://en.wikipedia.org/wiki/Whisper_Systems#Acquisition_by_Twitter
[13] http://support.apple.com/kb/HT5005
[14] http://support.apple.com/kb/HT4824
[15] https://developer.apple.com/appstore/guidelines.html
[16] http://resources.infosecinstitute.com/pcanywhere-leaked-source-code/
[17] http://www.symantec.com/connect/sites/default/files/pcAnywhere
%20Security%20Recommendations%20WP_01_23_Final.pdf
[ EOF ]